This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Copart.

Copart: "The security of our members is extremely important to us."
Also Copart: "We're gonna need you to keep your password between 5-10 characters."

https://dumbpasswordrules.com/sites/copart/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CGHS.

Can't use any special characters except @ $ # ? _ * &

https://dumbpasswordrules.com/sites/cghs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myezyaccess.com patient portal system.

12-character maximum password length. This is not a single website but a patient portal system used by hundreds of medical facilities via subdomains, with password policy apparently being consistent for all sites.

https://dumbpasswordrules.com/sites/myezyaccess-com-patient-portal-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BBVA.

Username is your national ID (easy to find) and your password must have up to **6** alphanumeric characters only.
For a bank account with all your money in one of the largest financial institutions in the world.

https://dumbpasswordrules.com/sites/bbva/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Pole-Emploi.

Password must contain at least one letter, one number and one character from `&-_@*%=.,;:!?` only.
It rejected passwords generated by pass, while accepting `p@ssw0rd!`...
They also block pasting on the password confirmation field,
forcing you to manually type your 32-letters-long generated passwo...

https://dumbpasswordrules.com/sites/pole-emploi/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Indiana University silent on major security breach while dozens of services are down for weeks.

https://www.ipm.org/news/2025-07-04/administrator-says-iu-will-never-explain-it-security-breach-publicly?fbclid=IwY2xjawLVRjFleHRuA2FlbQIxMQABHkfpe_KACeX4r2kR7sWjWSMdr6ASrFltBVcS4xXAaIAtUBLiUuG7g8KXBR83_aem_tMrMLsvOTvB3sMFPwNz8qg

#iu #indiana #cybersecurity #security #infosec

This dumb password rule is from Mes Services Étudiant.

At least 6 characters, one uppercase letter, one lowercase letter, one digit
and one "special character".

These do not count as "special characters": `` + - = | @ " ' # ( ) [ ] { } < > / \ ` ;``.

https://dumbpasswordrules.com/sites/mes-services-etudiant/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from South Western Railway.

Certain special characters disallowed, but notably the phrase " or " is disallowed also. They're probably papering over SQL injection vulnerabilities 🤦

https://dumbpasswordrules.com/sites/south-western-railway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"Billions of people worldwide use private messaging platforms like Signal, WhatsApp, and iMessage to communicate securely. This is possible thanks to end-to-end encryption (E2EE), which ensures that only the sender and the intended recipient(s) can view the contents of a message, with no access possible for any third party, not even the service provider itself. Despite the widespread adoption of E2EE apps, including by government officials, and the role of encryption in safeguarding human rights, encryption, which can be lifesaving, is under attack around the world. These attacks most often come in the form of client-side scanning (CSS), which is already being pushed in the EU, UK, U.S., and Australia.

CSS involves scanning the photos, videos, and messages on an individual’s device against a database of known objectionable material, before the content is then sent onwards via an encrypted messaging platform. Before an individual uploads a file to an encrypted messaging window, it would be converted into a digital fingerprint, or “hash,” and compared against a database of digital fingerprints of prohibited material. Such a database could be housed on a person’s device, or at the server level.

Proponents of CSS argue that it is a privacy-respecting method of checking content in the interests of online safety, but as we explain in this FAQ piece, CSS undermines the privacy and security enabled by E2EE platforms. It is at odds with the principles of necessity and proportionality, and its implementation would erode the trustworthiness of E2EE channels; the most crucial tool we have for communicating securely and privately in a digital ecosystem dominated by trigger-happy surveillance."

https://www.accessnow.org/why-client-side-scanning-is-lose-lose-proposition/

#CyberSecurity #Encryption #ClientSideScanning #E2EE #Privacy #DataProtection #Surveillance

This dumb password rule is from American Express.

Sometimes I forget that caps-lock is on, glad it doesn't matter.

https://dumbpasswordrules.com/sites/american-express/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sephora.

Password must be between 6 and 12 characters. No other rules
specified.

https://dumbpasswordrules.com/sites/sephora/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Parnassus Investments.

A site responsible for protecting your investments limiting you to a
four character range with a bunch of other stupid rules? Shocking.

https://dumbpasswordrules.com/sites/parnassus-investments/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🆕 blog! “How random are TOTP codes?”

I'm pretty sure that the 2FA codes generated by my bank's TOTP app have a bias towards the number 8 - because eight is an auspicious number. But is that just my stupid meaty brain noticing patterns where none exist? The TOTP algorithm uses HMAC, which in turn uses SHA-1. My aforementioned brain is not […]

👀 Read more: https://shkspr.mobi/blog/2024/07/how-random-are-totp-codes/
⸻
#algorithms #CyberSecurity #totp

This dumb password rule is from UniSuper.

Passwords need:
- a lower case letter
- a number
- a capital letter
- at least 8 characters

In the 'Change password' form,
passwords are now restricted to a `maxlength` of 18.

If your current password is longer than 18 characters,
you won't be able to change your password.
When I contacted them...

https://dumbpasswordrules.com/sites/unisuper/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of Texas at Austin.

Because of the last two rules, which ban dictionary words and any
variants using symbol substitutions, *neither* of the passwords
presented in the [xkcd comic](https://xkcd.com/936/) are allowed.

https://dumbpasswordrules.com/sites/university-of-texas-at-austin/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BMO Bank of Montreal.

Password requires at least one special character but disallows backtick ```, backslash `\`, vertical bar `|`, and underscore `_`.

https://dumbpasswordrules.com/sites/bmo-bank-of-montreal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Interesting catch by Dark Tower's Gary Warner: the data sample of a supposed new Verizon breach with 61 million records is full of fake data.

Same (new) account is offering "new breach dumps" from multiple other firms claiming hundreds of millions of records.

Not a new thing, but I expect it's much exacerbated by GenAI.

#infosec #cybersecurity

https://www.linkedin.com/posts/garwarner_looks-like-theres-potentially-a-new-verizon-activity-7345500085025206272-bzDu?utm_source=share&utm_medium=member_desktop&rcm=ACoAABIZhqYBjXCQuV7JX7N_3xlpxZY6alHZ77o

Alt...

For further information, "G_mic" is also selling 55 Million records from T-Mobile ( hxxps://darkforums[.]st/Thread-T-Mobile-US--15149 ) Full data including Social Security Numbers for 283 Million Americans ( hxxps://darkforums[.]st/Thread-283-M-USA-Citizen ) and 5GB of Citibank customer records ( hxxps://darkforums[.]st/Thread-Selling-Citibank-N-A-Citigroup-Inc ) in other words, he's a multi-fake scammer selling lots of bogus data. (In fact, I've seen the "283 Million citizens" headline twice already today as well. Fake.)

🆕 blog! “Are Brother's Insecure Printers Illegal in the UK?”

Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad?

Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial…

👀 Read more: https://shkspr.mobi/blog/2025/07/are-brothers-insecure-printers-illegal-in-the-uk/
⸻
#CyberSecurity #IoT #law #legal #Legislation

This dumb password rule is from Fidelity National Information Services.

White label online banking provider. Typically appears as `BANK.ibanking-services.com` or `BANK.ebanking-services.com`. If your small local bank has a crappy online banking experience, these guys probably provide it.

`\<>'` and spaces prohibited, upper bound. Passwords of exactly the maximum len...

https://dumbpasswordrules.com/sites/fidelity-national-information-services/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Mindware.

You "*may use special characters*", but only some of them - and we won't
necessarily tell you which ones.

https://dumbpasswordrules.com/sites/mindware/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Solid reporting on some serious security vulnerabilities found in all Coros devices that Coros initially did not address appropriately. They have now provided a timeline for updates which hopefully they can hit. Not a great look, and, as the article mentions, pretty typical reactive security versus proactive security that is way too common in this day and age. https://www.dcrainmaker.com/2025/06/coros-confirms-substantial-watch-security-vulnerablity-says-fixes-are-coming.html #cybersecurity #coros

This dumb password rule is from Vietnam Airlines.

`[[:alnum:]]{6,8}`

https://dumbpasswordrules.com/sites/vietnam-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

11. Limited protocol privacy behavior by default responds to certain protocol events unless in specific mode (client_hidden). But they still leak data sometimes, possibly bugs???
12. Lack of strategy on #11 means once you know a node's ID you can track it trivially both via MQTT or physically or even via BLE or Wifi.

And if you've seen my defcon talk.... you probably can figure out what I can do with #1, #2 #11 and #12 🤔

#meshtastic #cybersecurity

#13 No conversation privacy in default scalable configuration. Anyone can see your to/from fields and bc #1 it's great metadata.

Need to verify how bad #13 is, I think you can mitigate but most people use a public channel. The header I think its technically encrypted BUT with a known public key so everyone can see whose talking to whom. I think you can get encrypted headers on the public channel but docs aren't clear and probably limits your hops.

#meshtastic #cybersecurity

Finally I suspect that IF meshtastic ever does fix their routing algo they will suffer from MITM exploits due to issues around #1, #6, #8, and #9.

Bc when you have MAC as the root of trust I can respond to your MAC and poison the routing table.

There might even by a solid security downgrade attack here too bc they have backwards compatibility for insecure DMs. So once I clone your MAC I can also downgrade security and ppl are trained to accept downgrades.

#meshtastic #cybersecurity #mitm

This dumb password rule is from BinckBank.

Between 10 and 16 letters and/or digits. No special characters are allowed.
Must be renewed at least every 180 days, but you can configure to let the password expire sooner.
When changing the password, the new password cannot be too similar to the existing password.

https://dumbpasswordrules.com/sites/binckbank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Man, this seems really bad.

But at least our government isn’t pulling back on the #cybersecurity we need to protect this information!

Whew!

#CISA #infosec

https://www.npr.org/2025/06/29/nx-s1-5409608/citizenship-trump-privacy-voting-database

This dumb password rule is from Cigna.

A max of 12 characters... Can't handle most symbols (only 5 supported). At least they have two factor auth via email or sms **sigh**

https://dumbpasswordrules.com/sites/cigna/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IHG.

4, yes 4, digits only.

https://dumbpasswordrules.com/sites/ihg/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Microsoft security advisories, posted yesterday, affecting six Chromium-based Edge vulnerabilities.

Microsoft security update guide: https://msrc.microsoft.com/update-guide #Microsoft #cybersecurity #infosec #Chromium

This dumb password rule is from Arlo.

Your password contains characters not listed. Therefore, they do not
match.

https://dumbpasswordrules.com/sites/arlo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules